A critical arbitrary function call vulnerability in the Aimogen Pro WordPress plugin allows unauthenticated attackers to escalate privileges and gain full administrative access to the website.

The plugin lacks a capability check on the aiomatic_call_ai_function_realtime function. This allows an unauthenticated attacker to call arbitrary WordPress functions, such as update_option, to modify the site's default user role to "administrator" and enable open registration, facilitating an immediate administrative takeover.

The CVSS score of 9.8 reflects the extreme risk of total site compromise. An attacker can gain full control over the WordPress dashboard, allowing them to delete content, steal user data, install malware, or use the site for further phishing campaigns. This results in a complete loss of integrity and confidentiality for the affected WordPress installation.

Immediate Action: Update the Aimogen Pro plugin to the latest version (2.7.6 or higher) immediately. If an update is not available, deactivate and remove the plugin.

Proactive Monitoring: Check the WordPress users list for unauthorized administrator accounts and review the users_can_register and default_role options in the database for unauthorized changes.

Compensating Controls: Utilize a WordPress-specific Web Application Firewall (WAF) to block unauthorized requests to the admin-ajax.php or rest-api endpoints associated with the plugin.

Public Exploit Available: No

Site administrators must prioritize updating the Aimogen Pro plugin. The ease with which an unauthenticated attacker can achieve privilege escalation makes this vulnerability highly critical. After patching, a thorough audit of all administrative accounts is recommended to ensure no persistence has been established.